package com.evolveum.midpoint.authentication.impl.filter.oidc;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.handler.AuditedLogoutHandler;
import com.evolveum.midpoint.authentication.impl.module.authentication.OidcClientModuleAuthenticationImpl;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/filter/oidc/OidcClientLogoutSuccessHandler.class */
public class OidcClientLogoutSuccessHandler extends AuditedLogoutHandler {
    private final ClientRegistrationRepository clientRegistrationRepository;
    private String postLogoutRedirectUri;
    private String publicUrlPrefix;

    public OidcClientLogoutSuccessHandler(ClientRegistrationRepository clientRegistrationRepository) {
        Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    @Override // com.evolveum.midpoint.authentication.impl.handler.AuditedLogoutHandler
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        super.handle(httpServletRequest, httpServletResponse, authentication);
        auditEvent(httpServletRequest, authentication);
    }

    protected String determineTargetUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        OidcUser oidcUser;
        String str = null;
        if (authentication instanceof MidpointAuthentication) {
            ModuleAuthentication processingModuleAuthentication = ((MidpointAuthentication) authentication).getProcessingModuleAuthentication();
            if (processingModuleAuthentication instanceof OidcClientModuleAuthenticationImpl) {
                Authentication authentication2 = processingModuleAuthentication.getAuthentication();
                if ((authentication2 instanceof PreAuthenticatedAuthenticationToken) || (authentication2 instanceof AnonymousAuthenticationToken)) {
                    Object details = authentication2.getDetails();
                    if ((details instanceof OAuth2LoginAuthenticationToken) && (oidcUser = getOidcUser((OAuth2LoginAuthenticationToken) details)) != null) {
                        URI endSessionEndpoint = endSessionEndpoint(this.clientRegistrationRepository.findByRegistrationId(((OAuth2LoginAuthenticationToken) details).getClientRegistration().getRegistrationId()));
                        if (endSessionEndpoint != null) {
                            str = endpointUri(endSessionEndpoint, idToken(oidcUser), postLogoutRedirectUri(httpServletRequest));
                        }
                    }
                }
            }
        }
        return str != null ? str : super.determineTargetUrl(httpServletRequest, httpServletResponse);
    }

    private OidcUser getOidcUser(OAuth2LoginAuthenticationToken oAuth2LoginAuthenticationToken) {
        if (oAuth2LoginAuthenticationToken.getPrincipal() instanceof OidcUser) {
            return oAuth2LoginAuthenticationToken.getPrincipal();
        }
        if (oAuth2LoginAuthenticationToken.getDetails() instanceof OidcUser) {
            return (OidcUser) oAuth2LoginAuthenticationToken.getDetails();
        }
        return null;
    }

    private URI endSessionEndpoint(ClientRegistration clientRegistration) {
        Object obj;
        if (clientRegistration == null || (obj = clientRegistration.getProviderDetails().getConfigurationMetadata().get("end_session_endpoint")) == null) {
            return null;
        }
        return URI.create(obj.toString());
    }

    private String idToken(OidcUser oidcUser) {
        return oidcUser.getIdToken().getTokenValue();
    }

    private String postLogoutRedirectUri(HttpServletRequest httpServletRequest) {
        if (this.postLogoutRedirectUri == null) {
            return null;
        }
        return StringUtils.isEmpty(this.publicUrlPrefix) ? UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(httpServletRequest)).replacePath(httpServletRequest.getContextPath()).pathSegment(new String[]{AuthUtil.stripStartingSlashes(this.postLogoutRedirectUri)}).build().toUriString() : UriComponentsBuilder.fromUriString(this.publicUrlPrefix).pathSegment(new String[]{AuthUtil.stripStartingSlashes(this.postLogoutRedirectUri)}).build().toUriString();
    }

    private String endpointUri(URI uri, String str, String str2) {
        UriComponentsBuilder fromUri = UriComponentsBuilder.fromUri(uri);
        fromUri.queryParam("id_token_hint", new Object[]{str});
        if (str2 != null) {
            fromUri.queryParam("post_logout_redirect_uri", new Object[]{str2});
        }
        return fromUri.encode(StandardCharsets.UTF_8).build().toUriString();
    }

    public void setPostLogoutRedirectUri(String str) {
        Assert.notNull(str, "postLogoutRedirectUri cannot be null");
        this.postLogoutRedirectUri = str;
    }

    public void setPublicUrlPrefix(String str) {
        this.publicUrlPrefix = str;
    }
}
